Vulnerabilities > CVE-2022-22993 - Server-Side Request Forgery (SSRF) vulnerability in Westerndigital MY Cloud OS

CVSS 8.8 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

low complexity

westerndigital

CWE-918

NVD

Published: 2022-01-28

Updated: 2024-11-21

Summary

A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.

Vulnerable Configurations

Part	Description	Count
OS	Westerndigital Westerndigital MY Cloud OS - Westerndigital MY Cloud OS 5.02.104 Westerndigital MY Cloud OS 5.03.103 Westerndigital MY Cloud OS 5.04.114 Westerndigital MY Cloud OS 5.05.111 Westerndigital MY Cloud OS 5.06.115 Westerndigital MY Cloud OS 5.07.118 Westerndigital MY Cloud OS 5.08.115 Westerndigital MY Cloud OS 5.09.115 Westerndigital MY Cloud OS 5.10.122 Westerndigital MY Cloud OS 5.11.112 Westerndigital MY Cloud OS 5.12.108 Westerndigital MY Cloud OS 5.13.115 Westerndigital MY Cloud OS 5.14.105 Westerndigital MY Cloud OS 5.15.106 Westerndigital MY Cloud OS 5.16.105 Westerndigital MY Cloud OS 5.17.107 Westerndigital MY Cloud OS 5.18.117	18
Hardware	Westerndigital Westerndigital MY Cloud - Westerndigital MY Cloud Dl2100 - Westerndigital MY Cloud Dl4100 - Westerndigital MY Cloud EX2 Ultra - Westerndigital MY Cloud Ex2100 - Westerndigital MY Cloud Ex4100 - Westerndigital MY Cloud Mirror GEN 2 - Westerndigital MY Cloud Pr2100 - Westerndigital MY Cloud Pr4100 - Westerndigital WD Cloud -	10

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References